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Cloudflare and SOC 2 
Compliance 


Security compliance certifications are reports created by independent, third-party auditors that validate and 
document a company's commitment to security. These external auditors conduct a rigorous review of a company’s 
technical environment, evaluating whether there are thorough controls—or safeguards—in place to protect the 
security, confidentiality, and availability of information stored and processed in that technical environment. 


SOC 2 is a security certification established by the American Institute of CPAs. It consists of a technical audit and a 
requirement to outline and follow comprehensive information security policies and procedures. Cloudflare obtained 
our SOC 2 validation in 2019, and we include the report as part of our compliance package for current and potential 
customers under NDA. The more general, public version of the SOC 2 report is the SOC 3. It can be downloaded from 
our website here. In addition, a detailed overview of our security compliance journey can be found here. 


Part of Cloudflare’s approach to SOC 2 compliance involves transparency about which user controls remain 

among our customers’ prescribed responsibilities. This document outlines that group of controls. It applies to the 
Cloudflare Global Cloud Platform through which Cloudflare provides security, reliability and performance products 
to Enterprise customers, and excludes other products provided by Cloudflare. The description does not encompass 
every aspect of all the products provided or procedures followed by Cloudflare. Rather, the description enables 
current user entities and future user entities to understand how controls in place for the Global Cloud Platform are 
critical to Cloudflare's business and the overall control environment. 


Frequently asked questions about Cloudflare and SOC 2 


What accounts are in-scope for Cloudflare’s SOC 2 report? 
Enterprise customers are in-scope for Cloudflare’s SOC 2 report 


How do customers get a copy of the SOC 2 Report? 
Customers can request a copy of Cloudflare's SOC 2 report by contacting their Account Executive. 
Cloudflare requires all customers to sign a nondisclosure agreement before our report is provided. 


What Trust Service Criteria are in-scope for SOC 2? 
Cloudflare’s SOC 2 scope currently covers the security, confidentiality, and availability trust service criteria. 


What Cloudflare products are not in-scope for SOC 2? 
This description does not include Cloudflare's China-based platform and products served through Cloudflare's 
China-based platform. In addition, the following Cloudflare products are not in-scope for SOC 2: 


e China Network 
e Magic Transit 
* Stream 


e Workers 


SOC 2 User Entity Controls 


Users should consider whether the following controls have been placed in operation at user organizations: 


User entities of Cloudflare’s system are responsible for: Applicable Trust Services 
Criteria 


Establishing strong passwords and maintaining the confidentiality of CC5.1, CC5.2, CC6.1, CC6.6 
authorized users’ usernames and passwords. 


Enabling two-factor authentication in conjunction with usernames and CC5.1, CC5.2, CC6.1, CC6.6 
passwords. 


Acknowledging and agreeing that only authorized users are entitled to access CC2.3, CC6.1, CC6.2, CC6.3, 
the Cloudflare with their assigned usernames and passwords provided by CC6.5 
Cloudflare. 


Notifying Cloudflare promptly of any actual or suspected unauthorized use of CC2.3, CC4.2, CC7.1, CC7.3, 
any authorized user's account, username, or password, or any other breach or CC7.4, CC7.5 
suspected breach of the terms of the original agreement. 


Supporting and maintaining the availability of their website(s), the connectivity of CC2.3, A1.1, A1.2 
their website(s) to the Internet, and all customer content, IP addresses, domain 

names, hyperlinks, databases, applications and other resources as necessary for 

customers to operate and maintain their website(s) to meet Customer's business 

requirements and to utilize the service. 


Keeping and maintaining their own copy of all Customer Log Files, once CC5.1, CC5.2, A1.1, A1.2 
delivered by Cloudflare 


Knowing what data they want and need to have cached. CC9.1, CC8.1, CC6.7, A1.1, A1.2 


Agreeing and allowing Cloudflare to act as their limited agent pursuant to the CC1.1 


terms and conditions of the original agreement, for the purpose of providing 


Internet data and optimization services. 


Complying with all laws applicable to its purchase and use of the Cloudflare, CC3.1, CC1.1 
including without limitation, the export and import regulations of other countries. 


Using available features or services, agreeing and acknowledging that they 
may be required to accept the licenses or agreements associated with such 
features or services, and to install additional software modules to use such 
features or services. 


Updating their information with Cloudflare, including providing Cloudflare with 
an up-to-date e-mail address for the provisioning of notices under the original 
agreement. 


Not assigning, subcontracting, delegating, or otherwise transferring the 
agreement or its rights and obligations herein, in whole or in part, by operation 
of law or otherwise, without obtaining the prior written consent of Cloudflare. 


Representing and warranting that the information they provide to Cloudflare 
regarding their network usage (including but not limited to bandwidth usage, 
number of domains, geographic location of users, and SSL requirements) in 
order to obtain a price quote which forms the basis of the original agreement, 
is truthful, accurate, and complete, to the best of their knowledge. 


Complying with the Enterprise Subscription Terms of Service and agreeing not 
to use Cloudflare in connection with any: (a) infringement or misappropriation 
of any intellectual property rights; (b) defamation, libel, slander, obscenity, or 
violation of the rights of privacy or publicity of any person or entity; or (c) other 
offensive, harassing, or illegal conduct. 


CC2.3, CC8.1 


CC2.3, CC8.1 


C1.1, CC2.3, CC8.1 


CC1.1, CC2.3, CC8.1 
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